A majority of CISOs at small- and medium-sized businesses say they're at greater risk of attack than their counterparts at large enterprises, according to a Cynet survey. (Petty Officer 2nd Class Hunter Medley/Coast Guard)

Cynet on Wednesday released a study of CISOs at small- and medium-sized businesses (SMBs) that found some 58% felt their risk of attack was higher compared with enterprises, despite the reality that enterprise networks are much larger targets.

The study, based on responses from 200 CISOs with five or fewer security staff members and security budgets of $1 million or less, also found that 94% say they have barriers in maintaining their security posture, due largely to a lack of skilled security personnel (40%), excessive manual analysis (37%), and the increasingly remote workforce (37%).

In other findings, 87% say they have difficulty in managing and operating their threat protection products because of overlapping capabilities (44%) and difficulty visualizing the full scope of an attack (42%). The result: 90% of small security teams are outsourcing security mitigation to a managed detection and response (MDR) service, while also using managed security service provider (MSSP) services (21%) and virtual chief information officer (vCISO) services (15%).

SMBs have fewer resources from both a people and a budget perspective to secure their environments, said Matt Warner, CTO at Blumira. However, Warner said threat actors are increasingly targeting resource-strapped teams, knowing that they are particularly vulnerable to attacks. Warner said when SMBs are hit with ransomware, they often struggle to pay the ransom or can’t afford the downtime that comes with it, making an attack disproportionately devastating for a smaller business than an enterprise.

“Smaller organizations typically don’t have dedicated cybersecurity staff,” Warner said. “Instead, someone from the IT team may handle cybersecurity along with a variety of other responsibilities. This makes it challenging for organizations to keep up with evolving threats and manage security platforms, especially complex solutions that generate countless alerts and provide little support.”

Will Lin, managing director at Forgepoint Capital, added that SMBs are challenged by resource scarcity — from budget to talent, limited backups, and more reliance on SaaS, which can reduce cost and improve ops efficiency, but introduces third-party risk.

Lin said Forgepoint Capital’s recent CISO survey found that SMBs prioritized security hygiene and software supply chain/vendor risk as their top two priorities. Lin said security hygiene has become critical because most breaches result from unpatched systems, misconfigurations, poor passwords and other easily avoidable issues.

“Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business,” Lin said. “Also, SMBs have a higher proportion of workloads on SaaS apps, which drives differing priorities around incident response as well.”

Jason Hicks, Field CISO at Coalfire, said that lack of funding challenges SMBs more than anything. Hicks said they simply don’t have the budgets to build a full-scale security program, with sufficient staff to enable the specialization seen at larger firms.

“Vendor consolidation is a good idea for them, as it should allow their staff to become more proficient in the tools they have,” Hicks said. “It’s hard for one individual to become an expert in more than a couple of tools given the broad nature of security roles at an SMB, it’s likely that most team members will not be completely dedicated to security.”